T1078.004
Valid Accounts: Cloud Accounts
Description from ATT&CK
Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a Trusted Relationship. Similar to Domain Accounts, compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
Once a cloud account is compromised, an adversary may perform Account Manipulation - for example, by adding Additional Cloud Roles - to maintain persistence and potentially escalate their privileges.
Atomic Tests
Atomic Test #1 - Creating GCP Service Account and Service Account Key
GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
Supported Platforms: google-workspace,iaas:gcp
auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| project-id | ID of the project, you want to create service account as well as service account key for | string | art-project-1 |
| service-account-name | Name of the service account | string | gcp-art-service-account-1 |
| service-account-email | Email of the service account | string | gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com |
| output-key-file | Email of the service account | string | gcp-art-service-account-1.json |
Attack Commands: Run with sh!
1
2
3
4
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
Cleanup Commands:
1
2
gcloud iam service-accounts delete #{service-account-email} --quiet
Dependencies: Run with sh!
Description: Requires gcloud
Check Prereq Commands:
1
2
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
Description: Check if user is logged in
Check Prereq Commands:
1
2
gcloud config get-value account
Get Prereq Commands:
1
2
gcloud auth login --no-launch-browser
Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.
Supported Platforms: iaas:azure
auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Azure username | string | None |
| password | Azure password | string | None |
| resource_group | Name of the resource group | string | None |
| runbook_name | Name of the runbook name | string | None |
| automation_account_name | Name of the automation account name | string | None |
Attack Commands: Run with powershell!
1
2
3
4
5
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Cleanup Commands:
1
2
3
4
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform destroy -auto-approve
Dependencies: Run with powershell!
Description: Check if terraform is installed.
Check Prereq Commands:
1
2
terraform version
Get Prereq Commands:
1
2
echo Please install terraform.
Description: Install-Module -Name Az
Check Prereq Commands:
1
2
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
2
Install-Module -Name Az -Scope CurrentUser -Force
Description: Check if the user is logged into Azure.
Check Prereq Commands:
1
2
az account show
Get Prereq Commands:
1
2
echo Configure your Azure account using: az login.
Description: Create dependency resources using terraform
Check Prereq Commands:
1
2
try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
2
3
4
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform init
terraform apply -auto-approve
Atomic Test #3 - GCP - Create Custom IAM Role
This atomic will create a new IAM role. The default role permissions are: IAM Service Account Get. The idea for this Atomic came from a Rule published by the Elastic team.
Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
This atomic will create a new IAM role. The default role permissions are: IAM Service Account Get
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
Supported Platforms: iaas:gcp
auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| project-id | ID of the GCP Project you to execute the command against. | string | atomic-test-1 |
| role-name | The name of the role to be created. | string | AtomicRedTeamRole |
| role-description | The description of the role to be created. | string | Atomic Red Team Custom IAM Role |
| roles | List of roles to be applied | string | iam.serviceAccounts.get |
Attack Commands: Run with sh!
1
2
3
gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
Cleanup Commands:
1
2
gcloud iam roles delete #{role-name} --project=#{project-id}
Dependencies: Run with sh!
Description: Requires gcloud
Check Prereq Commands:
1
2
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
Description: Check if user is logged in
Check Prereq Commands:
1
2
gcloud config get-value account
Get Prereq Commands:
1
2
gcloud auth login --no-launch-browser